In this episode, we cover:

Today, we speak to Michael Cottam, the founder of the Visual Itineraries-a travel planning website with tools for consumers, travel agents, and travel agency websites. He has worked in probably 30 to 40 computer languages, ranging from several flavors of assembler to C++ to ASP, HTML, and CSS.

In this episode, Michael will tell us how to safeguard your website from negative SEO attacks.

Stay tuned for the next podcast episode, where our guest, Cody Jensen, shares a few trendy tips to rank on Google smartly.

Show Notes Explanation

Hey guys, welcome to another episode of SEO on Air. I have a question for you guys. So, how many times have you seen your website ranking well for some of your competitive keywords, and then all of a sudden, one day, you realize that there are tons of backlinks being detected on SEMrush or whatever tools that are used for keeping track of the backlinks?

After which you don’t know what to do next. Probably, that might be a negative SEO attack, and so, to know more about what is negative SEO, why people do it, and how to avoid such things, we have an expert with us. His name is Michael Cottam.

To give you a background about Michael, he has been in this industry since 1986. I mean, not in the SEO industry, of course, but he’s been a tech guy. He co-founded a website called the big day, a honeymoon registry service, in May 2001 with his friend, where he developed his SEO skills.

Right now, he’s a founder of the Visual Itineraries. He’s been a founder for the last ten years, and he’s also an independent SEO consultant. So if that is anything related to SEO in terms of negative SEO attack or anything, you guys can feel free to reach out to him. We’ll be adding a link to his profile and his contact page so you guys can feel free to get in touch with him. Michael, welcome to the show.

Time Stamp: 01:57-03:36

Senthil: So. Mike, the million-dollar question, what is this negativity all about?

Michael: Well, when SEO first started, Google was so heavily reliant on links as an indicator of what was a good site versus a bad site and popular versus unpopular site. Because links were such a big deal, a lot of black hat SEOs said, hey Google, if the link is what it takes to rank, we know how to make some links.

So, all sorts of crazy schemes were developed by SEO folks to build tons of links that worked like real votes from real people for them. So Google countered with their algorithm and manual penalties to try to spot people who are playing games and abusing linking schemes.

So, what would happen is you would be ranked on page one for a while until Google notices what you’ve been doing to get there, and they’d push you down to page 10 or page six or something like that. That was the origin of the Google penalty.

Negative SEO  is trying to make it look like you were playing these kinds of linking games so that Google will get you penalized. So, a competitor, rather than doing good marketing to make their own site rank better and get legitimate links, turns around and says, how about I just push down my competitors instead by trying to get them penalties? And so, they’ll hire a negative SEO company to go and build all sorts of toxic links to get them penalized and bubble up themselves to the top of page one.

Time Stamp: 03:45-05:14

Senthil: How prevalent is this practice?

Michael: Well, I guess you could look at it from two perspectives. One is, how many negative SEO attacks are going on at any one time, and that’s a smaller number than the number of people that are affected. What it appears is that a negative SEO attacker will go after all the competitors for a given keyword of their client. And so when an attack is underway, there may be 10, 20, or 100 websites hit by it.

What I see across 600 clients I’ve had over the past ten years, 5% to 10% of them were being hit as part of a negative SEO attack. Whether they were directly targeted or just their keywords were targeted, it’s hard to tell. There’s also a ton of black hat stuff going on out there with people scraping content without doing any real work and making some funny AdSense, whose links work a lot like negative SEO.

Because those scrapers are scraping all eCommerce sites in that product category, almost every website out there is going to have a bunch of these kinds of bad links that might not be negative SEO. However, they’re still toxic and not suitable for your link profile and not good for your ranking.

Time Stamp: 05:19-07:30

Senthil: Right. So how is this whole thing supposed to work, Michael, with regards to negative SEO? For example, as you mentioned, the scrapers and spammers are going to spin a web around spammy backlinks towards a site. Back in the days during 2006 or 2007, we used to register a domain name and try to experiment with tons of backlinks; some people would want to try it with another website rather than building the site on their own. So, is this the big difference, like maybe negative SEO versus these kinds of black hat experiments?

Michael: Well, typically, the black hat experiments are going to produce the links that are going to show up in SEMrush, Moz, Ahrefs, Majestic, etc. because they want Google to see it and help their site rank better. The companies that seem to be doing most of the successful negative SEO out there are cloaking their links so that only Google bot sees it.

The reason they do so is if it’s very easy for anybody to spot the negative SEO coming in, then they’ll be defeated. And so it’s in their best interest to hide these links so that most people who are under attack don’t know they have these bad links. So what’ll happen is we’ll make the site or the page check the user agent. If the user agent is Google bot, then they’ll show the page and the link, if the user agent is not Google bot, you’ll see a 404 or 408 return code.

If you’re not Google bot, you see a 404 or 408 or 522 or 523 server error response code, and so all these tools go, oh that Link’s dead, that can’t hurt you. But, Google still sees it, cause when Google turns around and fetches that page again, they get a 200 response code in a nice page with that horrible act to your site.

Time Stamp: 07:33-10:16

Senthil: Right. So, how do we detect this? Is there anything that people can do about it because this is really scary.

Michael: Well, the key is that with the Search Console, you can see what Google bot sees. You might as well look and see the links that Google is seeing and recording for or against your profile. So, when you export the latest links, you can start to see patterns. So maybe your website has been gathering 10 to 100 links a month for months after months, and then all of a sudden in that latest links profile, you’ll see 3000 links a month from the past two months. That audit triggers a red flag in your head.

Just by looking at the domain names, you’ll see things like the domain name contains porn words or TLDs from very unusual places, so, .tk, .ga,.cf, .info, and.xyz, are commonly used. The other thing that you’ll see is numbered subdomains. For one client, I saw links from 44,000 subdomains from one link farm. When you see these strange looking domain names, that’s a clue.

The other one that’s out there is more of like some sort of a scraper site, cause it seems to have photo galleries and things like that, as they’re creating or buying domains that are people’s names, including celebrities like Sarah McLachlan, Michael Malarkey, Bob Woolmer. But, I think this is not negative SEO,

If you’re looking through your profile, and you’re getting just good links, you’re expected to see new stuff from Yellow Pages, Quora, Yahoo Answers, Google groups, etc. When all of a sudden, you start seeing all these really weird domain names that don’t make sense. That’s, that’s a clue that maybe something is going on.

Time Stamp: 10:20-14:37

Senthil: Well, that sounds a lot. So what’s the time period you recommend people doing this? Like how long should SEOs be checking these backlinks, downloading the reports, and try to run a detailed audit to check out the spammy things?

Michael: Well, it depends whether you see symptoms or not. The original goal of a negative SEO attack was to get your competitor completely penalized, which would push them down maybe 50 places. That typically doesn’t happen so much anymore. There are algorithmic penalties out there, especially keyword specific ones. So, if somebody puts out a hundred thousand blog comments with your money anchor text, well yeah, you get a penalty for that keyword. That’ll get pushed down or eliminated from the search results for that keyword.

But mostly what you see is not a penalty, but it seems like Google is looking at the average strength of links to you or the shape of your backlink profile. When you all of a sudden get tons and tons of zero or 1% kind of value links, that seems to affect some sort of trust measurements. That’s not really part of the page rank, but it’s maybe getting trust factors multiplied by your page rank for something like that. So you’ll be ranking, let’s say number three, or number four for your most important keyword for month after month, and then all of a sudden you go down to fifth, sixth or seventh position and so on.

This is because the trust factor seems to be kind of getting eroded as more and more crappy links are being discovered by Google. So if you see that pattern where everything seemed fine for a long time and then it just kind of slowly dropped away and over three months, it’s a big hit that you need to start looking right now.

Now, if you’re not suspecting anything like that, I think it’s worthwhile for everybody to have a look at their backlink profile and get rid of some of these scraper sites that link to everybody. Google, as of Penguin 4.0, a couple of years ago says, hey, you don’t need to worry about this. We know how to handle these kinds of bad links, and we’re just going to ignore them. That’s probably mostly true, but “mostly” is a funny word. If I told you that you were going to receive most of your paycheck, you’d probably be concerned about how much most was?

So, when Google ignores most of the links, and there’s still enough links left there to hurt you, that affects your ranking, then it’s a big deal, and you can’t just let Google deal with that. You need to go in there and do that cleanout.

So how often should you go back and do it again? I would treat it like your site traffic. How often do you go into Google Analytics to look at your site traffic, or how often do you go into the search console and your performance report to look at your site traffic and some of your key rankings?

If you’re doing that once a week, then you probably ought to at least take a peek at the latest links once a week and just see if there’s anything that smells funny in the last week’s worth of links. And if you do not see anything crazy, and see the same sort of stuff every week, which is mostly good stuff, then I wouldn’t do an intense backlinks review.

Just monitor once in a while, and when all of a sudden, you start to see a whole bunch of .info sites linking to you or Instagram or Twitter collection bookmarking sites linked to you, maybe it’s time to go in and do a more serious backlinks review.

Time Stamp: 14:41-18:17

Senthil: So yeah, whoever’s listening to this podcast, if you work on SEO, this is definitely one task item that you should be adding in your checklist. Like Michael has suggested, it’s always better to keep track of this, just like you track your keyword rankings.

So is there any automation available to combat these kinds of things, Michael? IAre there some tools or something available?

Michael: Well, I’ve used a whole pile of different tools, and they all have their pros and cons. What I like to do is I use a tool called Link Risk from Kerboo, it’s a company in the UK. It is pricy licensed, but you know, what’s your business worth if you’re getting attacked. If you can lose 30% of your business, what would that cost you? I think for what it does, and its ability to detect the bad stuff, it’s pretty worthwhile.

One of the things I really like about Kerboo Link Risk is you can hook it up to your Search Console, and when you do that, it auto imports the new links, and it sends you an email once done. You can then go through and review just the ones that have been added. It saves you a ton of time versus downloading all the links to figure out what the last date was and deleting those from the spreadsheet.

I let it flag for me the sites that it thinks are bad. So there’s going to be two categories of problem links. One is going to be ones that are not cloaked but are toxic. So the one’s link risk doesn’t flag as bad are going to be ones that are visible to everybody, not just Google bot. So you’re going to go through those, add your disavow file, and then you’re going to go through the links that were added since last time you reviewed, you have not already disavowed the domains and where the link status is inactive. Those are sites where they’re cloaked, so only Google bot sees them, and Link Risk or Moz Pro don’t see the link on the page.

Now with the ones that are cloaked, you can’t get any toxicity score from link risk because it thinks it’s dead. But you can open those links in your browser and use the Moz Pro toolbar and look at the spam score for the domain and look at the links to the domain, and that’ll tell you a lot. So those are the tools I use.

So, how do I decide if a link is spammy or not, the overriding principle is if the link doesn’t have any positive value and there’s any hint that it might be toxic, you might as well disavow it. I only really dive in and look carefully at a site if the site does appear to have decent domain authority. So let’s say a website had a domain authority of 45, with the Moz Pro toolbar, and then you look at the spam score of 67%. If the Moz toolbar flagged it with a high score like that, I’m going to disavow it even though it has a high domain authority.

If, on the other hand, the domain authority was 2, and the Moz spam score was 5%, I’d still disavow it, especially if link risk also flagged it because if those tools saw some pattern, they didn’t like, Google probably saw the same pattern, and it’s not doing you any good anyway, so you might as well disavow it.

Time Stamp: 18:19-21:22

Senthil: Perfect. So, does the Kerboo Link Risk give us any notification or something like that so that we could be alerted, or is it like we have to manually log in and keep checking it once in a while?

Michael: Well, so it’s going to give you notifications when it’s important for a new batch of links. About once a week, I get emails from my sites on that. You can then schedule yourself some time to go in and look at those new links. Whether it’s Kerboo or Moz, don’t trust the link toxicity score from any of those tools a hundred percent, because sometimes, they’ll get flagged simply because of some patterns that might not really be strong spam patterns.

I wouldn’t disavow everything, cause sometimes Google-owned properties get flagged, and so you’re always going to want to go through and take a second look and let some of those go. It’s always going to be a bit of a manual process. There are also sites out there that are clearly going to be toxic at some point, whether Google spots them now or not, they are getting past these tools.

So, for example, there’s a series of sites that are scraping images from various sites. They’ll all have the same pattern near the top of the page that says if you’re looking for images about XYZ, we’ve got, you know, 325 images of XYZ, and if you start seeing those in your profile, you’ll see hundreds or thousands of sites that all look about the same. Whatever these folks are doing is not triggering the red flags in the tools. But as humans, you can look out and go, okay, I know this is bad.

There are ones that will do three or two redirects to a legit site. So if you’re just manually going through links, you might think this is a legit site. If you actually put that domain into Moz, you’ll see giant spam score. So you got to watch for things where the tools might not necessarily pick it up, but you as a human looking at it will go, hey, wait a minute, I’ve seen this same thing, you know, 25 times already and this doesn’t seem legit.

Time Stamp: 21:27-23:00

Senthil: Right. And, and it’ll be great if these tools could also tell us who’s doing that, right? Is this, is it possible to detect who’s doing that?

Michael: Well, so that’s tough. So any negative SEO person with half a brain is going to do domain registration privacy, and the biggest attackers are all using CloudFlare to protect themselves against being identified. CloudFlare is aware of it, but you know, they’re getting paid money, so they just turn a blind eye, and CloudFlare does the same thing with porn sites and online gambling.

About 25% of the sites I found in CloudFlare are questionable if not criminal or negative SEO and they’re all hiding behind this. So you can’t find them, and even if you want to take some legal action against them, they’re probably not from your country, so how are you going to do any enforcement?

So even if you could identify who it was, you can’t do anything, and they’re not going to roll over on their client and tell you which of your competitors actually paid them to make this attack because your competitor might be in your own country. So if you could find that the cardiologist down the street from you is paying this negative SEO attacker, then you could obviously take legal proceedings against your competitor who’s in the same city as you, but they’re never going to tell you who did it because if they’re known for rolling over in their clients, they’re not going to get any more clients.

Time Stamp: 23:01-24:18

Senthil: Well, there should be a big lawsuit on the cards. People are losing tons of money because of this. We wish there were some more tools that could pick up some of these top-notch companies for providing CDN.

Especially in the COVID situation, businesses are on the tough stage and are just trying to come out of this. I think this company should support them and try to disallow people from negatively attacking others.

Michael:  I totally agree. I’m actually kind of surprised that we haven’t seen any news about CloudFlare getting sued because it’s pretty clear that they’re blocking these folks. I actually tried to report the link farm of 44,000 subdomains to CloudFlare, and their tech support response to me was I had to submit an abuse report for every one of the 44,000 domains.

So, they’re basically saying, go away, these guys are still paying us money. So at some point, I’m sure this will come to an end, and somebody will take them to court, but that hasn’t happened yet, it seems.

Time Stamp: 24:20-25:10

Senthil: All right. Well, Michael, that was a great learning session about SEO from you. It’s been a pleasure to have you on our show. So guys, who’re listening to the show, if you have any feedback or comments for us, please feel free to let us know. If you have any other questions related to whatever has been covered in the show, please feel free to leave your comments as well.

We’ll ensure that we get in touch with Michael, and he’ll be able to give you guys the answers that you are looking for. It’s a very tough situation these days, with a lot of businesses trying to come out of it. So, ensure that you are in the positive territory. Stay safe. Thank you guys for tuning in. Have a great day. Bye.